Microsoft KB Archive/259576

From BetaArchive Wiki
Knowledge Base


Group Policy application rules for domain controllers

Article ID: 259576

Article Last Modified on 2/28/2007


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)


This article was previously published under Q259576


SUMMARY

Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations.

The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container:

  • All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)
  • The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:
    • Automatically log off users when logon time expires
    • Rename administrator account
    • Rename guest account



The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.)

  • Accounts: Administrator account status
  • Accounts: Guest account status
  • Accounts: Rename administrator account
  • Accounts: Rename guest account
  • Network security: Force logoff when logon hours expire


MORE INFORMATION

These settings from group policy objects are not applied on the Domain Controllers organizational unit because a domain controller can be moved out of the Domain Controllers organizational unit and into a different organizational unit. Using the Domain container allows these setting to be applied regardless of in which organizational unit the domain container resides.

The process for applying these settings on a domain controller includes:

  • The domain controller gathers the list of group policy objects by searching the parent containers of the domain controller's Computer object.
  • The domain controller applies the settings listed earlier only if the group policy object is linked to the Domain container.
  • If there are multiple group policy objects linked to the Domain container, application of the group policy objects starts with the group policy object at the bottom of the list and ends with the group policy object at the top. This results in the group policy object at the top taking precedence over the others.

For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site:

http://www.microsoft.com/windows2000/docs/grouppolwp.doc


Keywords: kbenv kbinfo KB259576



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/259576&oldid=142819
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki